Optimality of Gaussian Attacks in Continuous Variable Quantum Cryptography 
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We analyze the asymptotic security of the family of Gaussian modulated Quantum Key Distri- 
bution protocols for Continuous Variables systems. We prove that the Gaussian unitary attack is 
optimal for all the considered bounds on the key rate when the first and second momenta of the 
canonical variables involved are known by the honest parties. 

PACS numbers: 03.67.Dd, 03.67.-a, 03.67.Hk 



In 1984 Bennet and Brassard introduced the concept of 
Quantum Cryptography and presented the first Quantum 
Key Distribution (QKD) protocol: BB84 Jj. The origi- 
nal idea was that in Quantum Mechanics, and contrary 
to Classical Physics, the observation of a system invari- 
ably perturbs the system under observation. Therefore, 
if two honest parties, Alice and Bob, establish a quan- 
tum channel and use it to send information, an eaves- 
dropper's presence could be detected by analyzing how 
the noise-free channel has changed. It was then shown 
that QKD protocols are completely secure against any 
eavesdropping attacks as long as the bit error rates do 
not exceed a certain value (see for instance and ref- 
erences therein). In the meantime, new applications of 
Quantum Mechanics to certain information tasks started 
to develop: coin tossing, dense coding, teleportation... 

All these results first appeared in the context of dis- 
crete systems, but many of them were later translated 
into the language of Continuous Variables (CV) systems. 
This is per se an interesting theoretical problem. How- 
ever, the main motivation for dealing with these systems 
comes from a practical point of view: although the set of 
feasible operations is reduced, the so-called Gaussian op- 
erations are easy to implement and amazingly precise. 
Quantum cryptography with continuous variables sys- 
tems 0; S IE IS S 13 was the most immediate result: 
the transmission of coherent or squeezed pulses of light, 
together with homodyne measurements, allows perform- 
ing QKD with very high key rates . 

The security analysis of these new protocols is not 
straightforward. First of all, the commonly used reconcil- 
iation and privacy amplification protocols are designed to 
correct and distill secret bits from binary random vari- 
ables, althou gh s ome have been adapted to continuous 
variables [l(l lllj. Second, the dimension of the Hilbert 
space on which the CV systems are defined is infinite 
in theory, which makes a complete tomography impossi- 
ble in principle, thus preventing Alice and Bob to know 
precisely the state they are actually sharing. Therefore, 
security proofs for CV protocols have to consider the op- 
timal attack by Eve when Alice and Bob know their state 
is in some set, usually defined by the momenta of the 



quadratures up to second order 12]. In her search for 
information. Eve's possible attacks can be classified in 
three different types |l3| : individual attacks, where Eve 
interacts individually with the sent states and measures 
them individually before public reconciliation; collective 
attacks, where Eve applies the same unitary individual 
attack over the sent states, but performs her (possibly 
collective) measurements at any time during Alice and 
Bob's reconciliation protocol and coherent attacks, where 
Eve is allowed to perform any unitary collective interac- 
tion over the sent states and any measurement strategy 
at any time she wants. The latter is the most general 
attack Eve can use. Most of the present security proofs 
give necessary and sufficient conditions for key distilla- 
tion when Eve is restricted to perform an individual 0,0 
or finite-size coherent attack [l3|. General proofs of se- 
curity are given in l^l for a squeezed-state protocol and 
in ImIisI for coherent states. 



Recently, bounds on extractable key rates have been 
derived for the case of collective [l£|, [Tg] and general at- 
tacks These bounds are easy to adapt to a wide 
class of protocols, since they correspond to the differ- 
ence of smooth entropies, which tend to Von Neuman or 
Shannon entropies in the asymptotic case. In this work 
we analyze a family of CV protocols based on Gaussian 
modulation. This family includes most of the protocols 
in the field of CV systems, such as those of Refs. 5j us- 
ing squeezed light, or those of Refs. 0, ^ that employ 
coherent states. We prove that for all of them, the Gaus- 
sian attack is the unitary attack by Eve that minimizes 
the bounds on the key rate of jl^ [l7l | , when Alice and 
Bob know the quadrature momenta of their state up to 
the second order. Therefore, Gaussian attacks turns out 
to be optimal for these protocols. 



We consider quantum systems of n canonical de- 
grees of freedom, called modes, belonging to B{H{W^)). 
These are characterized by the set of operators S — 
(Si,---,52n) = {Qi,Pir ■ ■ ,Qn,Pn) Satisfying the 
canonical commutation relations [Sj, S^] = i{(Jn)jki 
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where (T„ is is the n-mode symplectic matrix, 

A state is said to be Gaussian iff its density matrix, p, is 
the exponentiai of a quadratic function / on the canonical 
operators of the system, i.e., 

p = exph/(S)]. (2) 

Because of their simple structure, any Gaussian state can 
be completely described in terms of its displacement vec- 
tor, d, and its covariance matrix, 7, both defined as 

dfc = (Sfc) = tr(pSfc) 
Iki = tr {p{Ek ~ dk,Ei - di}+) , 

where {}^ denotes the anti-commutator. Therefore, 
Gaussian states are characterized just by the first and 
second order momenta of the canonical variables S. 
Gaussian operations are completely positive (CP) maps 
that map Gaussian states into Gaussian states. 

The considered CV QKD protocols are based on ran- 
dom Gaussian modulation of squeezed or coherent states 
of light 0, They are prepare and measure (P&M) 
protocols, suitable to realistic implementation with to- 
day's technology. However, for any P&M measure pro- 
tocol there exists a completely equivalent entanglement- 
based scheme X9j . This description simplifies the theo- 
retical analysis, even if it would be more difficult to imple- 
ment experimentally. The entanglement-based scheme 
consists of the following five steps (see also 1) Al- 

ice prepares a two-mode squeezed state. 2) She performs 
a measurement over the first mode. This measurement 
projects the second mode into a randomly displaced (pos- 
sibly squeezed) state. If Alice performs a heterodyne 
measurement, she effectively prepares a coherent state 
on the second mode. If she randomly chooses to perform 
a homodyne measurement on Q or P, she is effectively 
preparing a randomly displaced squeezed state. 3) She 
sends the second mode to Bob via a noisy quantum chan- 
nel. 4) Bob receives the state sent by Alice. He performs 
either a homodyne measurement in Q or P, or a het- 
erodyne measurement, his result being y. 5) Alice and 
Bob apply one-way Error Correction (EC) and Privacy 
Amplification (PA) codes to distill a perfect secret key. 
If the classical communication flows from Alice to Bob, 
we speak about Direct Reconciliation (DR). On the con- 
trary, if it is Bob who sends the classical information to 
Alice during the reconciliation process, we say they are 
using a Reverse Reconciliation (RR) protocol j2ll |. 

Recently, general bounds on the extractable key rate 
under collective attacks have been published 0, ll^ . 
All of them exploit the entanglement-based picture, but 
of course they also apply to the corresponding P&M 



scheme. They are expressed in terms of entropy quan- 
tities. Throughout this work, the same notation H is 
used for the (classical) Shannon entropy and the (quan- 
tum) Von Neuman entropy. Let X (Y) be the random 
variable associated to Alice's (Bob's) rneasured quantity 
and by x (y) its value. According to [la,ll3) the key rate 
K obtained using Direct Reconciliation is bounded by 

K>I{X:Y)- x{X : E) = K,,u. (4) 

Here I{X : Y) denotes the classical mutual information, 
I{X : r] = H{Y)-HiY\X), while x refers to the Holevo 
bound 1231 , 

X(X : B) = H{B) - H{B\X), (5) 

where H{B\X) = Y.xPi^)H{B\X = x). Formally, / 
and X look identical, but they refer to different type of 
variables. While the mutual information only deals with 
classical random variables, the Holevo bound quantifies 
the accessible classical information on quantum states. 
This justifies the different notation. 

Suppose now that Bob is allowed to use a collective 
arbitrary measurement on many copies of the received 
states. Of course, this is a rather unrealistic scenario, 
but it provides an upper bound to the maximum one-way 
secret key rate when Bob is free to perform any individ- 
ual measurement. If, again. Eve is restricted to apply 
collective attacks, the key rate, upon Bob optimizing his 
measurement, is given by |l6| : 

K>x{X:B)- x(X : E) ^ K^- (6) 

In these two bounds, namely Eqs. and ©, the first 
term specifies the correlation between the honest par- 
ties. It quantifies the amount of classical information 
Alice and Bob should exchange to correct their errors. 
The second term estimates Eve's knowledge on Alice (or 
Bob's) variable. It is thus related to the amount of pri- 
vacy amplification required to make Eve's information 
vanishing. 

Eve's attack has to be defined in order to compute the 
secret key rate and needs therefore to be optimized. In- 
deed, after the estimation strategy, Alice and Bob have 
some knowledge about their state, this information being 
denoted by g. In the calculation of key rates, as for any 
other interesting function, Alice and Bob should mini- 
mize Q or over the set G, consisting of all states p 
compatible with g (see also j23j). 

In the CV scenario, it is natural to take g, i.e., Al- 
ice and Bob's information on their state, as the first and 
second moments on the measured quadratures. The first 
order correlations do not play any role in the discussion, 
as they can be changed arbitrarily by the use of local 
unitaries. As shown in the next lines, for fixed second 
(and first) moments, the corresponding Gaussian state 
optimizes the bounds on the key rates given above. In- 
terestingly, the Gaussian attack turns out to maximize 
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Eve's information as well, ■ Before proceed- 

ing with the proof of these results, we spend some lines 
clarifying the notation used from now and on. 

Let p e B{Ti,^) be a density matrix in any Hilbert space 
Ti. Then p denotes the corresponding density matrix of 
a Gaussian state characterized by the same covariance 
matrix and displacement vector as p. Analogously, if 
p (x) is a probability distribution, then p (x) (or p for 
short) denotes the Gaussian probability distribution with 
the same first and second momenta as p{x). Moreover, 
if F{x) represents any quantity concerning a variable x, 
described by a certain distribution then F has to 

be understood as the same functional F calculated from 
the distribution p. /\F will be a shorthand notation for 
the difference of these two quantities, AF — F — F. 

Three results are used in what follows. First, let p G 
B{Ti?) be any physical state of a system A and p the one 
into which p is transformed after the measurement of the 
classical variable X . The measurement is defined by a set 
of positive operators {Mx\x obeying cixM^M^ = I. 
One has 

p — \x){x\dxMxpM^ = ^'^^p {x)dx\x){x\dx'S> p\x, (7) 

X X 

where p\x is the normalized state of p knowing X — x, 

MxpMl 



similar arguments, it can be seen that the same property 
is fulfilled by probability distributions, i.e., 



P\x 



p{x) 



(8) 



and p(x) — tv{MxpM\). It is straightforward to check 
that 



il{A\X) =H{A) -H{X), 



(9) 



where H denotes the Shannon entropy for the measure- 
ment outcomes, i.e., H{X) — —'^^p{x)dxlog(jj{x)dx), 
H{A) — — trplogp is the von Neumann entropy of the 
measured quantum state p and the conditional entropy 
H{A\X) is p (x)(ia;S'(p|^). In the case of continu- 
ous variables, this expression is not bounded in the limit 
dx — > 0. Therefore, we will only take such limit (if neces- 
sary) for the computation of the final mutual (or Holevo) 
information quantities, which stay finite. 
Second, for any state p, one has 

AH{A) = H{p\\p) > 0, (10) 

where H{p\\p) denotes the relative entropy 

Hip\\p) = tr(plogp) - tr(plogp). (11) 

Note that since the relative entropy is never negative, 
the state of maximal entropy for fixed first and second 
moments is Gaussian . In particular, if Alice and Bob 
share a state Pab, they can bound its entropy from its 
covariance matrix, that is, H{pab) < F[{pab)- Using 



where 



AH{X) = H{X\\X) 



H{X\\X) = ^p(a;)da;log 



p{x) 



(12) 



(13) 



Third, the relative entropy (|ll|l never increases after 
the application of a trace-preserving map (or a stochastic 
map in the classical case). That is, for any of those maps, 
denoted by T, and any two states, pi and p2, 



H{p,\\p2)>H{T{p,)\\T{p2)). 
This obviously imply 

AH{A) > AH{T{A)). 



(14) 



(15) 



for any Gaussian trace preserving channel T, and for any 
quantum state or classical random variable A. 

To prove the optimality of Gaussian attacks, we first 
show that for fixed first and second moments, the Gaus- 
sian attack maximizes Eve's information, xi-^ : E). In 
order to give the maximally possible information to Eve, 
one has to consider that the global state shared by Alice, 
Bob and Eve is pure. Then, 

AxiX : E) = AH{E) - AH{E\X) 

= AH{AB) - AH{AB\X) 

= AH{AB) - AH(AB) + AH{X), (16) 

where we first use the fact that the global state is pure 
and then 0. Now, since the channel AB AB defined 
by the A"-measurement is Gaussian, AH{AB) — AH{AB) 
is not negative. This, together with (|10|l . implies that 

Ax{X : E) = x{X : E) - x{X :E)>0, (17) 

so the Gaussian attack maximizes Eve's information for 
fixed first and second moments. 

Furthemore, the mutual information between Alice 
and Bob is minimized if Eve's attack is Gaussian: one 
has 

AI{X : Y) = AH{X) + AH{Y) - AH{XY) < (18) 

The first term is null since Alice's modulation is Gaus- 
sian, and the difference of the last two terms is negative, 
following from H15|l . for the map XY — > Y. The opti- 
mality of Gaussian attacks is therefore proved. A very 
similar argument can be used to prove the optimality of 
these attacks with respect to Eq. ©. 

It is important to stress here that most of the known 
bounds on the secret-key rate, including Eqs. iQJ and 
©, were introduced for finite-dimensional systems, so in 
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principle they should be carefully applied to the contin- 
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sliced-reconciliation CV protocol of achieves the rate 
Q for the case of collective attacks. This result has to 
be combined with the fact that, for discrete variable sys- 
tems as well as for continuous variable systems, collective 
attacks are the most powerful general attacks, This 
means that the bounds considered in this article actually 
provide general security bounds for CV systems. The ex- 
plicit computation of these bounds for the Gaussian case, 
now proven to be optimal, can be found in |25|. 

Before concluding, we would like to comment on the re- 
cent related results of [13 ■ There, it was shown that, for 
a given covariance matrix, the state with minimal distill- 
able secret-key rate is Gaussian, assuming the distillable 
secret-key rate is a continuous functional. This implies 
that, up to the continuity assumption, Alice and Bob, for 
fixed first and second moments, can safely assume their 
state to be Gaussian, whenever they are able to apply any 
protocol. This result is very interesting and satisfactory 
from a theoretical point of view. However, one should be 
careful when applying it to a practical scenario. Indeed, 
the distillable secret-key rate is defined with respect to 
the optimal protocol. However, the optimal protocol can 
be very challenging from a practical point of view. For 
instance, it may include local coherent and non Gaussian 
operations among several copies of the state. In particu- 
lar, it may be quite different from the realistic protocol 
considered here, where the techniques (measurements) 
used for the correlation distribution are fixed, and exper- 
imentally feasible. Thus, one cannot directly apply the 
results of 23] to the considered protocols and conclude 
that the optimal collective attack is Gaussian. 

We have studied the security limits for the CV QKD 
protocols proposed in ^] and using the recently ob- 
tained lower bounds on the secret-key rate under collec- 
tive and general attacks, and we have proven the opti- 
mality of Gaussian attacks for these bounds. 

In order to improve the derived security conditions, 
note that we have always studied the situation in which 
Alice and Bob use one-way reconciliation protocols. Two- 
way communication protocols should be analyzed as well, 
to completely solve the problem of secret key extraction. 
Such protocols {e.g. CASCADE j22j) have already being 
used in key distribution experiments or in the scheme 
proposed in 0, even if the security analysis for these 
cases is only preliminary yet. 

Note added: The optimality of Gaussian attacks has 
been also proven using different techniques in |27i | . 
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